[strongSwan-dev] Responding to invalid/unknown ESP SPI

Zachery Stoddard zacherystoddard at gmail.com
Mon Aug 6 19:34:48 CEST 2012

It is my current understanding that the default behavior of a Strongswan
system is to silently discard ESP packets with unknown SPI values.  I have
the need to change this default behavior and send an unencrypted
notification of INVALID_SPI.   I'm having a hard time locating where in the
code base I would even begin to modify to tackle this problem as it seems
that libcharon is largely unaware of ESP traffic.  Furthermore, I'm not
even sure that performing this capability within libcharon would be
appropriate or convenient since it doesn't process ESP except that
libcharon already has the notification encoding and already owns the
sending sockets.

libcharon, libhydra, and socket-default are a large code base and I'm
facing quite a learning curve.

Has anyone tried to do this before?
Could anyone recommend an outline of the areas to look more closely into?

First things first, I'm not even entirely sure which the best way capture
un-xfrm-ed esp packets.

Any insight or even fingers pointing in the right direction would be very

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strongswan.org/pipermail/dev/attachments/20120806/c7555241/attachment.html>

More information about the Dev mailing list